Strengthen Your Firm's Defenses Against Ransomware
With its attractive business model and multiple revenue streams, ransomware is a growing threat to financial services and their third party suppliers. There are many steps you can take to prevent attacks.
Invest in resiliency. Participate in ransomware exercises to build the muscle memory in your organization to respond quickly and consider common decisions associated with a ransomware attack. Upskill your teams (not just security, but everyone who needs to be involved in case of an attack) to be able to anticipate, communicate, respond, and identify any gaps in your process or communications.
Vault your data. Savvy ransomware attackers go into your system and delete your backup before sending ransom notes and encrypting data. Make sure your critical data is archived in an offline vault that is detached from the rest of your systems. If your backups remain online, ensure segregation from production systems, and use unique credentials for access. For US banks and brokerages, Sheltered Harbor provides an industry standard for achieving this.
- Protect your endpoints. Since ransomware targets endpoints, focusing on them reduces the likelihood of initial compromise, promotes early detection, and minimizes spread.
- Deploy agent-based disk and process/execution scanning (EDR) to identify and block known malicious software and behaviors.
- Implement network-based IPS that can identify and drop malicious network traffic, as well as block known malicious domains and IPs.
- Use DNS Filtering to prevent access to newly registered and unverified domains.
- Limit remote administrative access (RDP) and enforce MFA.
- Require signed executables and scripts to avoid unsanctioned or malicious executables running in your environment.
- Perform ongoing patch management prioritizing remediation of public, remote, and crown jewel systems.
- Focus on email security. Most ransomware starts as phishing/spear phishing to the inbox. Intercepting malicious mail before your users have an opportunity to click is key.
- Enable attachment scanning, URL rewriting, and IP reputation filtering.
- Enforce SPF/DKIM/DMARC policies.
- Use external sender banners.
- Support programmatic removal of mail that is determined as malicious post-delivery.
- Secure the network. Segmenting the environment forces threat actors to work harder to move laterally within your systems.
- Require MFA to access privileged networks (802.1x, VPN, bastion strategy).
- Implement segmentation strategies to isolate data and systems.
- Monitor across segments and networks (east-west traffic) in addition to ingress/egress traffic.
- Incorporate threat analysis & detection into decision making.
- Collect security and endpoint logs in a SIEM.
- Integrate threat intelligence feeds into security tooling.
- Establish alerting and notifications for security operations.
- Use threat intelligence to scope red teaming and penetration testing activities.
- Regularly educate and train employees to maintain situational awareness and report any potential issues immediately. Provide real-world examples and repercussions of successful ransomware exploits.
- Use Spot the Phish awareness campaigns & integrate phish reporting in email client.
- Provide document management guidance to users aligned with backup strategy.
- Brief the Board and/or Board Committees on ransomware-related security posture.
Maintain a rigorous third-party risk assessment program, using a zero-trust mindset, and have a communications plan with third party suppliers in case of an attack. Ensure your third parties are considered when conducting internal red teaming and penetration testing.
Understand that law enforcement agencies often work with the private sector to develop decryption tools quickly after ransomware attacks occur (see NoMoreRansom). These tools can be used to decrypt infected machines. Law enforcement can also help properly gather evidence when incidents occur.
- Ensure your incident response and business continuity plan includes ransomware response protocols such as:
- Details for employees about who to call if a ransomware ploy is successful.
- Ability to isolate the infected system from the network.
- Steps to isolate or power-off affected devices that have not yet been completely corrupted.
- Way to immediately secure backup data or systems by taking them offline and ensuring backups are free of malware.
- Tools to change all online account passwords and network passwords after removing the system from the network.
- How to work with law enforcement as appropriate.
- Review your prevention and identification processes.
- Review hardening guidance from your local CERT or government cyber security agency, such as US CISA's Ransomware Guide.
Finally, share threat intelligence to know your enemy. As ransomware perpetrators vary widely, threat intelligence is a critical tool in understanding how to respond to a ransomware attack. Utilize both a global network as well as smaller trusted circles that focus on your vertical and/or geography.
If you want to learn more about Ransomware, do read our 2020 report The Rise and Rise of Ransomware and stay tuned for our 2021 edition.